From bf46572ce1c2e1864d39966f6958ad484e686fce Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 25 Jan 2021 10:58:19 -0500 Subject: [PATCH] Sync fixes from Integration Package Testing (#23424) * Sync changes to AWS CloudTrail https://github.com/elastic/integrations/pull/408 * Sync changes to CheckPoint Firewall Change type of event.severity. https://github.com/elastic/integrations/pull/409 * Sync changes from Cisco ASA / FTD https://github.com/elastic/integrations/pull/414 * Sync changes from Cisco IOS Make icmp and igmp fields strings because they are keywords. https://github.com/elastic/integrations/pull/416 * Sync changes to CrowdStrike Falcon Fix some field types. https://github.com/elastic/integrations/issues/377 * Sync changes to Fortinet Firewall Drop assignip if the value is "N/A". https://github.com/elastic/integrations/pull/437 * Sync changes to Juniper SRX Convert event.risk values to float Protect against missing event.timezone Convert event.severity to long. https://github.com/elastic/integrations/pull/443 * Sync changes to Suricata EVE Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. https://github.com/elastic/integrations/pull/457 * Sync changes to Zeek DNS Fix usages of ignore_failure with convert processor. Make DNS transaction ID a string. https://github.com/elastic/integrations/pull/448 * Add changelog --- CHANGELOG.next.asciidoc | 7 +++ .../module/aws/cloudtrail/ingest/pipeline.yml | 8 +-- .../checkpoint/firewall/ingest/pipeline.yml | 5 +- .../module/cisco/ios/config/pipeline.js | 3 - .../module/cisco/ios/pipeline_test.go | 6 +- .../test/cisco-ios-syslog.log-expected.json | 10 +-- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 4 +- .../crowdstrike/falcon/config/pipeline.js | 46 +++++++++++++- .../test/falcon-events.log-expected.json | 1 - .../test/falcon-sample.log-expected.json | 12 ++-- .../fortinet/firewall/ingest/pipeline.yml | 45 +++++++++----- .../module/juniper/srx/ingest/flow.yml | 6 +- .../module/juniper/srx/ingest/pipeline.yml | 17 ++--- .../module/juniper/srx/ingest/utm.yml | 6 +- .../juniper/srx/test/atp.log-expected.json | 8 +-- .../juniper/srx/test/flow.log-expected.json | 62 +++++++++---------- .../juniper/srx/test/idp.log-expected.json | 14 ++--- .../juniper/srx/test/ids.log-expected.json | 24 +++---- .../srx/test/secintel.log-expected.json | 4 +- .../juniper/srx/test/utm.log-expected.json | 28 ++++----- .../module/suricata/eve/config/eve.yml | 1 + .../eve/test/eve-alerts.log-expected.json | 44 ++++++------- .../eve/test/eve-dns-4.1.4.log-expected.json | 48 +++++++------- .../eve/test/eve-small.log-expected.json | 22 +++---- .../filebeat/module/zeek/dns/config/dns.yml | 11 +++- .../zeek/dns/test/dns-json.log-expected.json | 12 ++-- 26 files changed, 266 insertions(+), 188 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 95638ca4e71..d99315bd2a1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -269,6 +269,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523] - Fix various processing errors in the Suricata module. {pull}23236[23236] - Fix CredentialsJSON unpacking for `gcp-pubsub` and `httpjson` inputs. {pull}23277[23277] +- CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a `long`. {pull}23424[23424] +- Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are `keyword`. {pull}23424[23424] +- CrowdStrike Falcon: Change JSON field types to match the field mappings. {pull}23424[23424] +- Fortinet Firewall: Drop `fortinet.firewall.assignip` when the value is "N/A". {pull}23424[23424] +- Juniper SRX: Change JSON field types to match the field mappings. {pull}23424[23424] +- Suricata EVE: Convert `suricata.eve.flow_id` to string because the field is a keyword in the mapping. {pull}23424[23424] +- Zeek DNS: Ignore failures in data type conversions. And change `dns.id` JSON field to a string to match its `keyword` mapping. {pull}23424[23424] - Change the `event.created` in Netflow events to be the time the event was created by Filebeat to be consistent with ECS. {pull}23094[23094] - Update `filestream` reader offset when a line is skipped. {pull}23417[23417] diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 3dd78f82c6d..76cf0f936b6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -152,25 +152,25 @@ processors: Map map = new HashMap(); ctx.aws.cloudtrail.put("flattened", map); } - if (ctx.json.requestParameters != null) { + if (ctx.json?.requestParameters != null) { ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); } } - if (ctx.json.responseElements != null) { + if (ctx.json?.responseElements != null) { ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); if (ctx.aws.cloudtrail.response_elements.length() < 32766) { ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); } } - if (ctx.json.additionalEventData != null) { + if (ctx.json?.additionalEventData != null) { ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); } } - if (ctx.json.serviceEventDetails != null) { + if (ctx.json?.serviceEventDetails != null) { ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index 975a0e76104..b92624e2f6c 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -309,9 +309,11 @@ processors: type: long ignore_failure: true ignore_missing: true -- rename: +- convert: field: checkpoint.severity target_field: event.severity + type: long + ignore_failure: true ignore_missing: true - rename: field: checkpoint.action @@ -859,6 +861,7 @@ processors: - checkpoint.xlatedst - checkpoint.uid - checkpoint.time + - checkpoint.severity - syslog5424_ts - _temp_ ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/ios/config/pipeline.js b/x-pack/filebeat/module/cisco/ios/config/pipeline.js index 4506f67ccb3..42e10c6969d 100644 --- a/x-pack/filebeat/module/cisco/ios/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/ios/config/pipeline.js @@ -166,9 +166,6 @@ var ciscoIOS = (function() { {from: "source.port", type: "long"}, {from: "source.packets", type: "long"}, {from: "source.packets", to: "network.packets", type: "long"}, - {from: "icmp.type", type: "long"}, - {from: "icmp.code", type: "long"}, - {from: "igmp.type", type: "long"}, ], ignore_missing: true, }).Run; diff --git a/x-pack/filebeat/module/cisco/ios/pipeline_test.go b/x-pack/filebeat/module/cisco/ios/pipeline_test.go index 6104c25a306..7f5e4a99120 100644 --- a/x-pack/filebeat/module/cisco/ios/pipeline_test.go +++ b/x-pack/filebeat/module/cisco/ios/pipeline_test.go @@ -71,8 +71,8 @@ var testCases = []testCase{ "event.outcome": "deny", "event.severity": int64(6), "event.type": []string{"connection", "firewall"}, - "icmp.code": int64(5), - "icmp.type": int64(3), + "icmp.code": "5", + "icmp.type": "3", "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list 100 denied icmp 198.51.100.1 -> 198.51.100.2 (3/5), 1 packet", @@ -117,7 +117,7 @@ var testCases = []testCase{ "event.outcome": "deny", "event.severity": int64(6), "event.type": []string{"connection", "firewall"}, - "igmp.type": int64(20), + "igmp.type": "20", "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list INBOUND-ON-AP denied igmp 198.51.100.1 -> 224.0.0.2 (20), 1 packet", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 0695d3730aa..5841793ceb8 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -66,7 +66,7 @@ "firewall" ], "fileset.name": "ios", - "igmp.type": 20, + "igmp.type": "20", "input.type": "log", "log.level": "informational", "log.offset": 140, @@ -251,8 +251,8 @@ "firewall" ], "fileset.name": "ios", - "icmp.code": 4, - "icmp.type": 3, + "icmp.code": "4", + "icmp.type": "3", "input.type": "log", "log.level": "informational", "log.offset": 760, @@ -1268,8 +1268,8 @@ "firewall" ], "fileset.name": "ios", - "icmp.code": 3, - "icmp.type": 3, + "icmp.code": "3", + "icmp.type": "3", "input.type": "log", "log.level": "informational", "log.offset": 4125, diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index c46227b79a1..8d0e1b24c63 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -71,7 +71,7 @@ processors: # Parse the date included in FTD logs # - date: - if: "ctx.event.timezone == null" + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" field: "_temp_.raw_date" target_field: "@timestamp" formats: @@ -103,7 +103,7 @@ processors: }, ] - date: - if: "ctx.event.timezone != null" + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" timezone: "{{ event.timezone }}" field: "_temp_.raw_date" target_field: "@timestamp" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index a447a25d15e..46bbf671518 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -12,6 +12,10 @@ var crowdstrikeFalconProcessor = (function () { function convertToMSEpoch(evt, field) { var timestamp = evt.Get(field); + if (timestamp == 0) { + evt.Delete(field) + return + } if (timestamp) { if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS evt.Put(field, timestamp * 1000); @@ -103,7 +107,8 @@ var crowdstrikeFalconProcessor = (function () { type: "ip" }, { from: "crowdstrike.event.ProcessId", - to: "process.pid" + to: "process.pid", + type: "long" }, { from: "crowdstrike.event.ParentImageFileName", to: "process.parent.executable" @@ -284,6 +289,7 @@ var crowdstrikeFalconProcessor = (function () { }, { from: "crowdstrike.event.PID", to: "process.pid", + type: "long" }, { from: "crowdstrike.event.RuleId", @@ -421,6 +427,44 @@ var crowdstrikeFalconProcessor = (function () { ignore_missing: false, fail_on_error: true }) + .Convert({ + fields: [ + { + from: "crowdstrike.event.LateralMovement", + type: "long", + }, + { + from: "crowdstrike.event.LocalPort", + type: "long", + }, + { + from: "crowdstrike.event.MatchCount", + type: "long", + }, + { + from: "crowdstrike.event.MatchCountSinceLastReport", + type: "long", + }, + { + from: "crowdstrike.event.PID", + type: "long", + }, + { + from: "crowdstrike.event.RemotePort", + type: "long", + }, + { + from: "source.port", + type: "long", + }, + { + from: "destination.port", + type: "long", + } + ], + ignore_missing: true, + fail_on_error: false + }) .Build() .Run })(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 47c0e10f47a..eab6fb1db0e 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -29,7 +29,6 @@ "crowdstrike.event.PatternDispositionFlags.Rooting": false, "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, "crowdstrike.event.PatternDispositionValue": 16, - "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index a122e788b08..becdbecc7c8 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -10,16 +10,16 @@ "crowdstrike.event.HostName": "TESTDEVICE01", "crowdstrike.event.Ipv": "ipv4", "crowdstrike.event.LocalAddress": "10.37.60.194", - "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.LocalPort": 445, "crowdstrike.event.MatchCount": 1, "crowdstrike.event.MatchCountSinceLastReport": 1, "crowdstrike.event.NetworkProfile": "2", - "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PID": 206158879910, "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", "crowdstrike.event.Protocol": "6", "crowdstrike.event.RemoteAddress": "10.37.60.21", - "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RemotePort": 54952, "crowdstrike.event.RuleAction": "2", "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", "crowdstrike.event.RuleGroupName": "SMB Rules", @@ -32,7 +32,7 @@ "crowdstrike.metadata.offset": 70689, "crowdstrike.metadata.version": "1.0", "destination.ip": "10.37.60.194", - "destination.port": "445", + "destination.port": 445, "event.action": "firewall_match_event", "event.category": [ "network" @@ -58,7 +58,7 @@ "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", "network.direction": "ingress", "network.type": "ipv4", - "process.pid": "206158879910", + "process.pid": 206158879910, "related.ip": [ "10.37.60.21", "10.37.60.194" @@ -70,7 +70,7 @@ "rule.ruleset": "SMB Rules", "service.type": "crowdstrike", "source.ip": "10.37.60.21", - "source.port": "54952", + "source.port": 54952, "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index 22d44e5664a..a227d770082 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -80,26 +80,26 @@ processors: formats: - UNIX_MS timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS - if: "ctx.fortinet?.firewall?.tz == null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX - if: "ctx.fortinet?.firewall?.tz == null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - script: lang: painless source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" @@ -134,6 +134,9 @@ processors: field: fortinet.firewall.level target_field: log.level ignore_missing: true +- remove: + field: fortinet.firewall.assignip + if: "ctx.fortinet?.firewall?.assignip == 'N/A'" - remove: field: fortinet.firewall.dstip if: "ctx.fortinet?.firewall?.dstip == 'N/A'" @@ -222,16 +225,18 @@ processors: ) - remove: field: - - _temp - - message - - syslog5424_sd - - syslog5424_pri - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host + - _temp.time + - _temp + - message + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.devid + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host ignore_missing: true - pipeline: name: '{< IngestPipeline "event" >}' @@ -242,6 +247,18 @@ processors: - pipeline: name: '{< IngestPipeline "utm" >}' if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" +- convert: + field: fortinet.firewall.quotamax + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.quotaused + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.size + type: long + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml index 1a488a57bd8..0671bff51b2 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -13,11 +13,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.application_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.application_risk != null" + ignore_failure: true - append: field: event.type value: @@ -344,6 +345,7 @@ processors: ############# - remove: field: + - juniper.srx.application_risk - juniper.srx.destination_port - juniper.srx.nat_destination_port - juniper.srx.bytes_from_client diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index 5bc4d45e82e..9fb9057b8fa 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -27,7 +27,7 @@ processors: # Parse the date # - date: - if: "ctx.event.timezone == null" + if: "ctx?.event?.timezone == null" field: _temp_.raw_date target_field: "@timestamp" formats: @@ -36,7 +36,7 @@ processors: - yyyy-MM-dd HH:mm:ss Z - ISO8601 - date: - if: "ctx.event.timezone != null" + if: "ctx?.event?.timezone != null" timezone: "{{ event.timezone }}" field: _temp_.raw_date target_field: "@timestamp" @@ -55,7 +55,7 @@ processors: - rename: field: juniper.srx.elapsed_time target_field: juniper.srx.duration - if: "ctx.juniper?.srx?.elapsed_time != null" + if: "ctx?.juniper?.srx?.elapsed_time != null" # Sets starts, end and duration when start and duration is known - script: @@ -88,9 +88,11 @@ processors: - set: field: event.dataset value: juniper.srx -- set: - field: event.severity - value: '{{syslog_pri}}' +- convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true - rename: field: log.original target_field: event.original @@ -197,8 +199,7 @@ processors: - remove: field: - message - - _temp_ - - _temp + - _temp_.raw_date - juniper.srx.duration - juniper.srx.dir_disp - juniper.srx.srczone diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml index a80e5a94d97..794fe15883b 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -13,11 +13,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.urlcategory_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.urlcategory_risk != null" + ignore_failure: true - set: field: event.kind value: alert @@ -380,6 +381,7 @@ processors: - juniper.srx.nat_source_port - juniper.srx.bytes_from_server - juniper.srx.packets_from_server + - juniper.srx.urlcategory_risk ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 4187866594e..69639938252 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -25,7 +25,7 @@ "event.module": "juniper", "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -82,7 +82,7 @@ "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -130,7 +130,7 @@ "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -182,7 +182,7 @@ "event.module": "juniper", "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "allowed", diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index b597ed2afc5..9eb70c83a64 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -17,8 +17,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -78,8 +78,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -141,7 +141,7 @@ "event.module": "juniper", "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -217,7 +217,7 @@ "event.module": "juniper", "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2014-05-01T06:28:10.933-02:00", "event.timezone": "-02:00", "event.type": [ @@ -299,7 +299,7 @@ "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -370,7 +370,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -442,7 +442,7 @@ "event.module": "juniper", "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2010-09-30T04:55:07.188-02:00", "event.timezone": "-02:00", "event.type": [ @@ -524,8 +524,8 @@ "event.module": "juniper", "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", "event.outcome": "success", - "event.risk_score": "4", - "event.severity": "14", + "event.risk_score": 4.0, + "event.severity": 14, "event.start": "2019-04-12T12:29:06.576-02:00", "event.timezone": "-02:00", "event.type": [ @@ -608,7 +608,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2019-04-13T12:33:06.576-02:00", "event.timezone": "-02:00", "event.type": [ @@ -690,7 +690,7 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2018-10-06T23:32:20.898-02:00", "event.timezone": "-02:00", "event.type": [ @@ -784,7 +784,7 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2018-06-30T00:17:22.753-02:00", "event.timezone": "-02:00", "event.type": [ @@ -861,7 +861,7 @@ "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2015-09-25T12:19:53.846-02:00", "event.timezone": "-02:00", "event.type": [ @@ -940,7 +940,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1024,7 +1024,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1115,7 +1115,7 @@ "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1208,7 +1208,7 @@ "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:18.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1296,7 +1296,7 @@ "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1386,7 +1386,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1471,7 +1471,7 @@ "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1534,8 +1534,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -1606,7 +1606,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1702,7 +1702,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-07-14T12:17:11.928-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1788,8 +1788,8 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.start": "2020-07-13T14:43:05.041-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1875,8 +1875,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1954,7 +1954,7 @@ "event.module": "juniper", "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-07-13T14:12:05.530-02:00", "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index 7704c88fac0..8a5a7307355 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -24,7 +24,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2020-03-02T21:13:03.193-02:00", "event.timezone": "-02:00", "event.type": [ @@ -112,7 +112,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2020-03-02T21:13:03.197-02:00", "event.timezone": "-02:00", "event.type": [ @@ -200,7 +200,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2007-02-15T07:17:15.719-02:00", "event.timezone": "-02:00", "event.type": [ @@ -285,7 +285,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2017-10-12T19:55:55.792-02:00", "event.timezone": "-02:00", "event.type": [ @@ -359,7 +359,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", @@ -414,7 +414,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", @@ -482,7 +482,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index 10abae2fa6d..e92c17e6a4c 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -22,7 +22,7 @@ "event.module": "juniper", "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -82,7 +82,7 @@ "event.module": "juniper", "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -140,7 +140,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -206,7 +206,7 @@ "event.module": "juniper", "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -273,7 +273,7 @@ "event.module": "juniper", "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -337,7 +337,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -395,7 +395,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -448,7 +448,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -509,7 +509,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -553,7 +553,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -610,7 +610,7 @@ "event.module": "juniper", "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -661,7 +661,7 @@ "event.module": "juniper", "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index 49667e85897..9385beef0b0 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -15,7 +15,7 @@ "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -81,7 +81,7 @@ "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index f9890a6ca0f..6b0aa31072f 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -22,7 +22,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -83,7 +83,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -137,7 +137,7 @@ "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -197,7 +197,7 @@ "event.module": "juniper", "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -251,7 +251,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -295,7 +295,7 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -344,7 +344,7 @@ "event.module": "juniper", "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -406,7 +406,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -462,7 +462,7 @@ "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -529,8 +529,8 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", "event.outcome": "success", - "event.risk_score": "0", - "event.severity": "14", + "event.risk_score": 0.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -594,8 +594,8 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", "event.outcome": "success", - "event.risk_score": "3", - "event.severity": "12", + "event.risk_score": 3.0, + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -651,7 +651,7 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 5b6d1c821e0..8ce69929983 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -24,6 +24,7 @@ processors: - {from: suricata.eve.dest_ip, to: destination.address} - {from: suricata.eve.dest_port, to: destination.port, type: long} - {from: suricata.eve.proto, to: network.transport} + - {from: suricata.eve.flow_id, type: string} - convert: ignore_missing: true fail_on_error: false diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index ecccab3a10f..457a16da86f 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -64,7 +64,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 2191386088856669, + "suricata.eve.flow_id": "2191386088856669", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -145,7 +145,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 678269478904081, + "suricata.eve.flow_id": "678269478904081", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -226,7 +226,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 1170030461115650, + "suricata.eve.flow_id": "1170030461115650", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -307,7 +307,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 49628113637132, + "suricata.eve.flow_id": "49628113637132", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -388,7 +388,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 116307482565223, + "suricata.eve.flow_id": "116307482565223", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -469,7 +469,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 1205867738178946, + "suricata.eve.flow_id": "1205867738178946", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -550,7 +550,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 0, @@ -631,7 +631,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 0, @@ -712,7 +712,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 1, @@ -793,7 +793,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 1, @@ -874,7 +874,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 2, @@ -955,7 +955,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 3, @@ -1036,7 +1036,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 2, @@ -1117,7 +1117,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 3, @@ -1198,7 +1198,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 4, @@ -1279,7 +1279,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 5, @@ -1360,7 +1360,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 6, @@ -1441,7 +1441,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 7, @@ -1521,7 +1521,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 8, @@ -1601,7 +1601,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 9, @@ -1651,7 +1651,7 @@ "source.ip": "10.126.2.140", "source.port": 45884, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 1091813059495729, + "suricata.eve.flow_id": "1091813059495729", "suricata.eve.in_iface": "enp5s0", "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", "suricata.eve.tls.issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2", @@ -1741,7 +1741,7 @@ "suricata.eve.alert.signature": "SURICATA TLS on unusual port", "suricata.eve.alert.signature_id": 2610003, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 991192778198299, + "suricata.eve.flow_id": "991192778198299", "suricata.eve.in_iface": "enp0s31f6", "suricata.eve.tls.fingerprint": "36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc", "suricata.eve.tls.issuerdn": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index c61e3f6d12a..cdcf57030e6 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -40,7 +40,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 885455453886936, + "suricata.eve.flow_id": "885455453886936", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -87,7 +87,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.flow_id": "1418448010418810", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -151,7 +151,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.flow_id": "1418448010418810", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -215,7 +215,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 885455453886936, + "suricata.eve.flow_id": "885455453886936", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -263,7 +263,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 40074894954311, + "suricata.eve.flow_id": "40074894954311", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -311,7 +311,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.flow_id": "2130691028471842", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -406,7 +406,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 40074894954311, + "suricata.eve.flow_id": "40074894954311", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -501,7 +501,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.flow_id": "2130691028471842", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -549,7 +549,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -597,7 +597,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -655,7 +655,7 @@ "suricata.eve.dns.ttl": 1315, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -717,7 +717,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -779,7 +779,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -841,7 +841,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -903,7 +903,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -961,7 +961,7 @@ "suricata.eve.dns.ttl": 1268, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1023,7 +1023,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1085,7 +1085,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1147,7 +1147,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1209,7 +1209,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1257,7 +1257,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.flow_id": "2181951993205289", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1305,7 +1305,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 928596784370390, + "suricata.eve.flow_id": "928596784370390", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1400,7 +1400,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.flow_id": "2181951993205289", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1495,7 +1495,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 928596784370390, + "suricata.eve.flow_id": "928596784370390", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 66204334c43..50125bc3f3c 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -29,7 +29,7 @@ "source.ip": "192.168.86.85", "source.port": 55406, "suricata.eve.event_type": "ssh", - "suricata.eve.flow_id": 298824096901438, + "suricata.eve.flow_id": "298824096901438", "suricata.eve.in_iface": "en0", "suricata.eve.ssh.client.proto_version": "2.0", "suricata.eve.ssh.client.software_version": "OpenSSH_7.6", @@ -88,7 +88,7 @@ "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", "suricata.eve.alert.signature_id": 2024833, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 904992230150281, + "suricata.eve.flow_id": "904992230150281", "suricata.eve.in_iface": "en0", "suricata.eve.tls.session_resumed": true, "suricata.eve.tls.sni": "l2.io", @@ -142,7 +142,7 @@ "source.ip": "192.168.86.85", "source.port": 56119, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 2115002772430095, + "suricata.eve.flow_id": "2115002772430095", "suricata.eve.http.http_content_type": "text/xml", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "en0", @@ -204,7 +204,7 @@ "suricata.eve.fileinfo.state": "CLOSED", "suricata.eve.fileinfo.stored": false, "suricata.eve.fileinfo.tx_id": 0, - "suricata.eve.flow_id": 2211411903323127, + "suricata.eve.flow_id": "2211411903323127", "suricata.eve.http.http_content_type": "application/xml", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "en0", @@ -274,7 +274,7 @@ "suricata.eve.dns.ttl": 299, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1684780223079543, + "suricata.eve.flow_id": "1684780223079543", "suricata.eve.in_iface": "en0", "tags": [ "suricata" @@ -455,7 +455,7 @@ "source.ip": "192.168.86.85", "source.port": 56187, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 89751777876473, + "suricata.eve.flow_id": "89751777876473", "suricata.eve.in_iface": "en0", "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", @@ -532,7 +532,7 @@ "suricata.eve.flow.alerted": false, "suricata.eve.flow.reason": "timeout", "suricata.eve.flow.state": "new", - "suricata.eve.flow_id": 1828507008887644, + "suricata.eve.flow_id": "1828507008887644", "tags": [ "suricata" ] @@ -574,7 +574,7 @@ "source.ip": "192.168.50.1", "source.port": 57134, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 913701662641234, + "suricata.eve.flow_id": "913701662641234", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "eno6", "suricata.eve.tx_id": 0, @@ -622,7 +622,7 @@ "source.ip": "192.168.50.1", "source.port": 60614, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 1298574590709840, + "suricata.eve.flow_id": "1298574590709840", "suricata.eve.in_iface": "eno6", "suricata.eve.tls.fingerprint": "18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25", "suricata.eve.tls.issuerdn": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018", @@ -693,7 +693,7 @@ "source.ip": "192.168.50.1", "source.port": 50898, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 1097935193623328, + "suricata.eve.flow_id": "1097935193623328", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "eno6", "suricata.eve.tx_id": 0, @@ -742,7 +742,7 @@ "source.ip": "192.168.50.1", "source.port": 12509, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 289459143040794, + "suricata.eve.flow_id": "289459143040794", "suricata.eve.in_iface": "eno6", "suricata.eve.tls.ja3.hash": "44d502d471cfdb99c59bdfb0f220e5a8", "suricata.eve.tls.ja3.string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0", diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 091cacf2a18..9381f616b89 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -164,7 +164,7 @@ processors: } - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: rename fields: - {from: zeek.dns.id.orig_h, to: source.address} @@ -175,16 +175,21 @@ processors: - {from: zeek.dns.proto, to: network.transport} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: source.address, to: source.ip, type: ip} - {from: destination.address, to: destination.ip, type: ip} - {from: zeek.session_id, to: event.id} - - {from: zeek.dns.trans_id, to: dns.id} + - {from: zeek.dns.trans_id, to: dns.id, type: string} - {from: zeek.dns.query, to: dns.question.name} - {from: zeek.dns.qtype_name, to: dns.question.type} - {from: zeek.dns.rcode_name, to: dns.response_code} + - convert: + ignore_missing: true + fail_on_error: false + fields: + - {from: zeek.dns.trans_id, type: string} - add_fields: target: event fields: diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json index 61a57b55bd8..5be6888c0c9 100644 --- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -22,7 +22,7 @@ "RD", "RA" ], - "dns.id": 15209, + "dns.id": "15209", "dns.question.class": "IN", "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", "dns.question.registered_domain": "es.io", @@ -88,7 +88,7 @@ "zeek.dns.rcode_name": "NOERROR", "zeek.dns.rejected": false, "zeek.dns.rtt": 0.076967, - "zeek.dns.trans_id": 15209, + "zeek.dns.trans_id": "15209", "zeek.session_id": "CAcJw21BbVedgFnYH3" }, { @@ -96,7 +96,7 @@ "destination.address": "ff02::fb", "destination.ip": "ff02::fb", "destination.port": 5353, - "dns.id": 0, + "dns.id": "0", "dns.question.class": "IN", "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", @@ -143,7 +143,7 @@ "zeek.dns.qtype_name": "PTR", "zeek.dns.query": "_googlecast._tcp.local", "zeek.dns.rejected": false, - "zeek.dns.trans_id": 0, + "zeek.dns.trans_id": "0", "zeek.session_id": "C19a1k4lTv46YMbeOk" }, { @@ -158,7 +158,7 @@ } ], "dns.header_flags": "AA", - "dns.id": 0, + "dns.id": "0", "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", "dns.question.subdomain": "_googlecast", @@ -209,7 +209,7 @@ "zeek.dns.rcode": 0, "zeek.dns.rcode_name": "NOERROR", "zeek.dns.rejected": false, - "zeek.dns.trans_id": 0, + "zeek.dns.trans_id": "0", "zeek.session_id": "CdiVAw7jJw6gsX5H" } ] \ No newline at end of file